Privacy policy

Jun 9, 2025

Solo Eleven LLC (doing business as Reflect) respects your privacy and is committed to protecting any information we collect from or about you. This Privacy Policy explains how we handle your personal data when you use the Reflect mobile application or any related websites, services, or features (collectively, the “Services”).


Educational & Lifestyle Use Only: Reflect is designed solely as a tool for personal growth, education, and general wellness (to help you organize thoughts, practice mindfulness, and gain insights). It is not intended to diagnose, treat, or cure any mental-health or medical condition, and it is not a substitute for professional therapy or medical care.


Use of OpenAI’s Services: Reflect uses OpenAI to process your text or audio inputs and generate AI-based responses. We are an OpenAI business customer, so our direct agreement with OpenAI (not OpenAI’s consumer privacy policy) governs how your prompts and AI outputs are handled by OpenAI’s system. (In other words, the data you send through Reflect is processed under our contract with OpenAI, rather than as data from an OpenAI consumer app.) For more details on OpenAI’s data practices, you may refer to OpenAI’s documentation. If you have any questions about Reflect’s integration with OpenAI, please contact us (see “How to Contact Us” below).


For more information on how OpenAI collects and uses data for its own model training and development — including your choices regarding such usage — please visit OpenAI’s Help Center. If you have questions about this Privacy Policy or how Reflect integrates with OpenAI, you can contact us using the details provided in the “How to Contact Us” section below.


No HIPAA or Medical Privacy Coverage: Reflect is not a medical or healthcare service, and Solo Eleven LLC is not a “covered entity” under health privacy laws such as HIPAA. Information you share in Reflect is not protected by doctor–patient confidentiality or HIPAA in the way information with a healthcare provider would be. We will protect your data as described in this Policy, but please keep this distinction in mind.


If you are a healthcare professional, do not use Reflect for any patient records or PHI. We do not sign HIPAA Business Associate Agreements, and Reflect is not a HIPAA-compliant platform for storing clinical data. You, as a professional, are fully responsible for complying with all medical privacy laws and professional obligations. Any personal health information you choose to record in Reflect is handled as ordinary personal data under this Privacy Policy – not as a protected medical record. We are not obligated to report any information you share to authorities or third parties (except as described in this Policy), and we cannot guarantee HIPAA-level safeguards. Journaling or sharing personal thoughts in Reflect is fundamentally different from seeking care from a licensed provider.


By using Reflect, you consent to our processing of your journal entries and audio transcripts (including sending them to our AI service providers) to provide and improve the service.




1. Personal Data We Collect


When you use Reflect, we collect different types of personal data (“Personal Data”) for various purposes as described below.


Personal Data You Provide: You may provide us with certain Personal Data when you use the Services, including:

  • Account Information: When you create an account on Reflect, we may collect basic details such as your name, email address, and any other information you voluntarily provide (e.g., an alias or profile image). If there are in-app purchases or subscription payments, we may collect information about the transaction (such as confirmation of payment) to maintain your subscription status. Note: Payment processing (including subscriptions and any refunds) is handled by the Apple App Store and is subject to Apple’s own policies, so we do not receive your full payment card information.

  • User Content: Reflect is designed to help you explore your thoughts and ideas. Accordingly, we collect the text, journal entries, and other materials you input into the app (for example, typed text, voice-to-text transcriptions of your voice, or any notes you write). If you choose to use a file-upload or image-upload feature (if offered in the app), we would collect that content as well.

  • Voice-to-Text: If you use a voice-to-text feature, your spoken words may be processed by your device’s built-in speech recognition (e.g., Apple’s on-device engine) or a third-party transcription service. Reflect does not store any raw audio; we receive only the transcribed text (which then becomes part of your journal for generating AI responses).

  • Communication Information: If you contact us directly (for example, by email or through a feedback form or social media), we will collect your name, email address, and the contents of your message or communication. This may also include any additional information you choose to provide. We use this information to respond to your inquiries, provide support, and improve our Services based on your feedback.

  • Other Information You Provide: Occasionally, you might provide additional data — for example, if you fill out a survey, participate in a beta testing program, or provide optional demographic information (such as your age range or well-being goals) to personalize your experience. We will collect whatever information you choose to provide in these contexts.

  • Reflect is a wellness tool, not a medical service.  We do not process Protected Health Information under HIPAA and do not provide diagnosis or treatment.


Personal Data We Collect Automatically: When you use or interact with Reflect, we automatically collect certain technical data and usage information. This may include:

  • Log and Device Data: When you use Reflect, our servers automatically collect certain technical information. This “Log Data” includes things like your device’s IP address, hash identification, device model and operating system (e.g. iPhone and iOS version), the dates/times you use the app, and your interactions with the app’s features (for example, which journaling tools you use and for how long). We use this data for performance monitoring, security and fraud prevention, troubleshooting issues, and to learn how users engage with Reflect (which helps us improve features and compatibility across different devices).

  • Approximate Location: We may infer your general location (city or region) from your IP address. This is not precise GPS data, but it helps us with security (e.g. detecting unusual login activity) and understanding regional usage trends. We may not collect your exact location or GPS coordinates.

  • Cookies (Web Use Only): If you use a Reflect website or web portal, we may use cookies or similar technologies to remember your preferences, keep you logged in, and collect analytics information. (For example, a cookie might save your session ID so you don’t need to log in every time.) We will display any required cookie notices or banners and obtain consent for non-essential cookies as applicable law requires.


Personal Data We Receive from Other Sources: We may also receive information about you from third parties or public sources, such as:

  • Third-Party Services & Partners: If you use Reflect in combination with or through a third-party service (for example, an analytics, error-tracking, or authentication partner), that third party may send us information about you as needed for our service. We ensure that any such partner only uses your data for our authorized purposes and protects it with standards comparable to ours.

  • Apple (App Store) and Payment Processors: If you purchase a Reflect subscription through the Apple App Store (or another platform), that platform gives us basic subscription information (for example, confirmation that you are subscribed, your next renewal date, or if a refund occurred). This lets us activate your premium features. We do not receive your credit card or other payment details—at most, we get a transaction ID or similar reference.

  • Marketing or Referral Sources:  If you found Reflect via an advertisement or referral link, we may receive a reference ID or similar information to know which campaign or source led you to us. We use this to evaluate marketing performance. We do not receive any of your personal details from ads or referral partners—only the info needed to see how you found our app.


AI Processing Partners. When you use Reflect’s AI features, we send your content to trusted processing partners:

  • OpenAI. OpenAI normally stores API prompts and outputs for up to 30 days for trust-and-safety monitoring and never trains its public models on your data. However, under a June 2025 federal court preservation order in *The New York Times v. OpenAI*, certain OpenAI logs—including standard API traffic—are now retained until that litigation concludes. These logs are held in a segregated legal-hold system, are accessible only to a limited legal/security team, and remain excluded from model-training.

  • Apple Speech. If you enable speech input, the Apple Speech framework transcribes your audio. By default, Apple does not retain your audio recordings. If you have iOS’s Improve Siri & Dictation setting ON, Apple may keep a sample of your audio for up to 6 months tied only to a random identifier and may retain a de-identified transcript for up to 24 months to improve recognition accuracy. Apple does not link these samples to your Apple ID or use them for advertising.  We do not use any partner that sells or markets your data.

 



2. How We Use Personal Data


We use the Personal Data we collect for the following purposes (and in accordance with the legal bases permitted under applicable law):

  • To Provide and Personalize Our Services: We use your information to operate the Reflect app and deliver its core functionality to you. This includes using your Input to generate AI-based journaling reflections or suggestions, maintaining your account and preferences, and delivering content back to you. For example, we use the text of your journal entries to generate personalized prompts or insights tailored to you. Without your data, these features cannot function. (Legal basis: performance of a contract with you, i.e., providing the services you’ve requested.)

  • To Improve Our Services: We analyze how users interact with Reflect (in aggregated or de-identified form) to understand what is working well and what can be better. For example, we may measure how often certain features are used or test changes using anonymized data. This helps us fine-tune Reflect’s functionality and the relevance of AI responses over time. (Legal basis: Our legitimate interest in continually improving the product.)

  • To Communicate: We use your contact information (e.g. email) to send you necessary communications about the Service – for example, welcome messages, subscription confirmations, support responses, or important account and policy updates. We may also send you tips or educational content to help you use Reflect, and – only if you have opted in – occasional news or promotional updates about new features. You can unsubscribe from non-essential emails at any time. (Legal basis: Our legitimate interest in providing you service updates; and your consent for any marketing communications, where required.)

  • To Protect Users and the Service: We use information to maintain security and prevent fraud, abuse, or unsafe activities. For instance, we may analyze IP addresses and login attempts to detect bots or unauthorized access (e.g. many failed logins might indicate a brute-force attack). If content or usage violates our Terms (for example, prohibited scraping or disallowed content input), we may process that data to enforce the Terms and protect our platform. We may also use data to investigate potential violations and cooperate with law enforcement when legally required. (Legal basis: Our legitimate interest in safeguarding the service and users; and compliance with legal obligations.)

  • To Meet Legal Requirements: We will use or disclose your data as needed to comply with applicable laws, regulations, legal processes, or enforceable governmental requests (for example, court orders or law enforcement demands). This includes using data to satisfy financial record-keeping rules (e.g. tax or accounting requirements for purchases) or to establish, exercise, or defend our legal rights. We may also process data to protect our rights or the rights, property, or safety of you, other users, or others if necessary. (Legal basis: Compliance with legal obligations; and protection of vital interests or our legitimate interest in defending legal rights.)

  • To Produce Anonymous Insights: We may combine and anonymize personal data so that it can no longer be linked to any individual (for example, calculating the percentage of users who use a particular feature, or the average number of journal entries per user). We use these aggregated statistics for research and analysis, or to share general usage trends publicly. We will not attempt to re-identify anonymized data except if required by law (for instance, a legal investigation).

  • No Third-Party Advertising: We do not use your personal data for third-party advertising. Reflect does not show third-party ads, and we do not sell your data to advertisers. If we ever introduce advertising or new data uses, we will update this Policy and (where required) provide you with a chance to opt out.

  • Safety Review Data. We use automated filters to detect content that may violate our Acceptable Use & Safety rules.  When a flag is raised, a human reviewer may see the flagged text and the AI response only to (a) check filter accuracy, (b) improve future filters, or (c) comply with law. 



We will not use your Personal Data for any purposes other than those described above, unless we obtain your consent or have a legal obligation or other lawful basis to do so. If we ever need to process your data for a new purpose not outlined here, we will notify you and, if required, seek your permission.


We do not actively monitor your private journal content for safety issues, nor do we normally share it with authorities. However, if we become aware of an imminent threat of serious harm (for example, if you explicitly inform us of such a threat), we may in good faith report the minimum necessary information to law enforcement to try to prevent harm. We are not obligated to do this, but reserve the right in these rare circumstances.

 

 


3. Disclosure of Personal Data


We may share or disclose your Personal Data in the following circumstances, and always in accordance with applicable privacy laws:

  • Service Providers: We share information with third-party vendors who perform services on our behalf, such as cloud hosting (storing data and running the app), analytics and crash reporting (to help us fix bugs and improve performance), email delivery (sending you messages), and our AI technology partner OpenAI (which processes your text to generate responses for you). These providers are only allowed to use your data to provide their services to us – they can’t use it for anything else. We also require them to protect your data with appropriate security measures. (For example, your account and journal data may be stored on Google Cloud/Firebase servers, and when we send your text to OpenAI for an AI response,   that content is handled under our agreement with OpenAI.)

  • Business Transfers: If we undergo a business transaction like a merger, acquisition, sale of assets, or a financing/reorganization, your Personal Data may be transferred to the new owner or partner as part of that deal. In such cases, we will ensure the new entity is required to protect your data in a manner consistent with this Privacy Policy, or we will notify you and seek any legally required consents if policies   change.

  • Legal and Safety Disclosures: We may disclose your Personal Data if we in good faith believe it’s necessary to comply with a legal obligation, government request, or legal process (for example, a court order or subpoena). We may also disclose information if needed to: (a) enforce our Terms of Use or other agreements; (b) investigate or defend against legal claims; (c) protect the security or integrity of the Services (such as investigating suspicious activity or technical issues); or (d) protect the rights, property, or safety of Solo Eleven, our users, or others. This kind of disclosure may include sharing data with other companies or organizations for fraud prevention and security (for instance, exchanging information to guard against   spam or malware).

  • Affiliates: We may share your information with our affiliates (e.g., parent company, subsidiaries, or other companies under common ownership with us). Any such affiliate will only use your data in ways that are consistent with this Privacy Policy.

  • With Your Consent or Direction: We will share your information with third parties if you ask us to or explicitly consent to it. For example, if you choose to share a portion of your journal publicly or with a community, or if you request an integration   that sends your data to another app/service, we will share data as directed by you.

  • Sharing by You: If you voluntarily share your Reflect content with others, or export it to a third-party service, those recipients will have access to the information you shared. For example, if you generate an AI reflection and send it to a friend or create a shareable link, anyone with that link or message can view what you shared. Likewise, if you connect Reflect to an external app and send data there, that data will be governed by the other app’s privacy practices. Please be mindful and check   privacy settings whenever you share your information outside of Reflect.

  • Enterprise or School Accounts: If you use Reflect with credentials provided by an organization (such as your employer or school) that has an enterprise account with us, the authorized administrators of that organization may gain access to your Reflect account data (including journal entries and usage information). In such cases, the organization can view, monitor, or delete your content per their policies. We will inform you if your account is being converted to an organization-managed account, and you will have the chance to opt out (for example, by using a personal email instead) if you do not want to participate in the organization’s plan. Any data shared with the organization will be limited to what is needed to provide the enterprise service, and all handling of your data by the organization must remain consistent with this Privacy Policy and our agreement with them.


Texas Consumer Notice (DTPA).

  • No misleading data practices — all collection and use of data are described in this Policy.

  • AI output may be inaccurate — evaluate any AI response before relying on it.

  • No sale or rental of personal data — we do not sell your data or share it for third-party marketing.

  • No discrimination for exercising privacy rights.


We do not sell your Personal Data to third parties for monetary consideration. We also do not share your Personal Data with third parties for their own direct marketing purposes.


For voice features we share transcribed text with Apple/OpenAI (see §2 Voice-to-Text).



 

4. Data Retention


We retain your Personal Data for only as long as necessary to fulfill the purposes for which it was collected, unless a longer retention period is required or permitted by law. In determining how long to keep data, we consider factors such as:

  • The nature of the data and the purpose for which it was collected (e.g., account information is kept while your account is active; conversation data is kept to provide you ongoing access to your journal history and AI context).

  • Our legal obligations (e.g., certain transaction records may be kept for financial reporting or legal compliance).

  • Potential disputes or enforcement of our agreements (we might retain certain data if we believe an issue may arise, such as records of consent or opt-outs).

  • Security and fraud prevention (we may retain logs for a period of time to investigate suspicious activity).

  • Backups and archiving practices (data might remain in secure backups for a short period even after deletion, but we have procedures to delete or anonymize data from backups after a retention period).  Back-ups are purged or anonymized after 90 days. Security logs may be kept up to 90 days (or longer if investigating or monitoring and improving abuse system).


In practice, this means:

  • Identifiable chat logs are retained for up to the life of the account from the date of creation so you can revisit recent entries, and we can troubleshoot issues.

  • After 90 days, we permanently delete the lookup that ties those logs to your email (or encrypt it and destroy the key).  After that point the remaining text is de-identified and may be kept indefinitely for research and product-improvement.  If you wish, you may limit use of your sensitive journal data solely to providing the real-time Service – contact us to opt out of any use for research/improvement.

  • Litigation hold: If we reasonably expect a legal claim involving your account, we place those relevant logs under litigation hold, overriding the 90-day schedule until the matter is resolved.

  • Safety snapshots. When a message triggers our moderation and safety filters, we save a limited snapshot (user prompt, our refusal/hotline response, timestamp, etc.). These safety snapshots are kept indefinitely to audit and improve our safety systems, and to defend against related legal claims.


Data Retention & Deletion. Your journal and profile stay only while your account is active (or until you delete them). After you delete, we anonymize or erase any identifying link within 90 days. OpenAI normally deletes API text within 30 days, but a court order tied to the NY Times v. OpenAI lawsuit is forcing it to hold standard-API logs longer until the case ends. Apple stores no audio by default; if you’ve opted in to Improve Siri & Dictation, Apple may keep a sample of your audio for up to 6 months and a de-identified transcript for up to 24 months. Neither partner uses this data to train public models.


Future Feature Growth.  While we currently do not offer certain functionalities (like partial deletion of individual journal entries) or advanced analytics integrations, we may introduce them in the future to improve our Services. If we do, we will update this Privacy Policy (and other relevant sections) to explain how any new features or data-handling processes work, and will provide you with notice if any changes affect how we collect, store, or delete your information.


When we no longer have a legitimate need to retain your Personal Data, we will securely delete or anonymize it. If deletion is not feasible (e.g., because data is stored in long-term backups), we will securely store it and isolate it from further use until deletion is possible.

 

 


5. Your Rights and Choices


Depending on the laws that apply to you (often based on your place of residence), you may have certain rights regarding your Personal Data. We will honor all applicable data subject rights to the extent required by law. These rights may include:

  • Deletion of Entries: Currently, you cannot delete individual journal entries or AI conversations without deleting your entire account. This is due to how Reflect stores your journal as one continuous thread. If you wish to remove specific content, you would need to delete your account (which erases all your personal data, subject to limited retention as noted above). We are continually evaluating features like partial deletion for future updates

  • Access and Portability: You have the right to request a copy of the Personal Data we hold about you and to obtain information about how we process it. You may also have the right to obtain your Personal Data in a structured, commonly used, and machine-readable format, and to have it transmitted to another controller (data portability), subject to certain exceptions.

  • Correction (Rectification): If the Personal Data we hold about you is inaccurate or incomplete, you have the right to request that we correct or update it. In many cases, you can update basic account info (like your email) directly in the app.

  • Deletion (Erasure): You have the right to request that we delete your Personal Data. For example, you can request deletion of your entire account (which will remove your profile information and all journal content). Note: Reflect stores your conversations in a single continuous journal thread in our database. At this time, we may not support deleting individual messages or entries without deleting the entire account. If you wish to remove your data from Reflect, you may need to delete your account, which will erase all associated Personal Data and content (subject to our data retention policy above and technical feasibility). We will honor deletion requests in accordance with applicable law.

  • Restriction of Processing: You have the right to request that we limit the processing of your Personal Data under certain circumstances (for example, if you contest the accuracy of the data, you can request we restrict processing until we verify its accuracy).

  • Objection to Processing: You have the right to object to our processing of your Personal Data in certain situations, especially if we are processing it based on our legitimate interests or for direct marketing.

  • Withdraw Consent: If we are processing your Personal Data based on your consent, you have the right to withdraw that consent at any time. For instance, if you consented to receive promotional emails, you can opt out; if you consented to a survey or beta program, you can withdraw and we will stop using your data from that program.

  • Non-Discrimination/No Retaliation: If you exercise any of these rights, we will not discriminate against you or deny you our Services as a result. (However, please note that requesting deletion or restricting processing of certain data might affect our ability to provide the Service — for example, if you ask us to delete or stop using your journal content, the AI features will not function.)

  • Exercising Your Privacy Choices. You have universal rights to access, delete, and correct your personal data, or to object to certain processing, as described in this Privacy Policy. If you live in California, Colorado, Virginia, or any other U.S. state with specific statutory rights, please see §8 “Your U.S. State Privacy Rights” for details on those rights and how to exercise them.


To exercise any of your rights, you can contact us at the email or mailing address provided in the “How to Contact Us” section at the end of this policy. Please clearly describe your request and which right you are seeking to exercise. We may need to verify your identity before fulfilling certain requests (to protect your privacy and security). For example, we might ask you to verify control of the email associated with your account or provide additional information that only the account holder would know.


In some cases, we may decline or limit a request, such as when we cannot verify your identity, if the request involves disclosing data about another individual (and we cannot obtain their consent), or if we have a legal obligation or legitimate business reason to keep the data. We will respond to your request within the timeframe required by law (typically within 30-45 days).


California Residents: If you are a California resident, you have specific privacy rights under the California Consumer Privacy Act (CCPA) and its amendments (like CPRA). These include the right to know, the right to delete, the right to correct, the right to opt-out of “sales” or certain data sharing, and the right to non-discrimination. This Privacy Policy is designed to comply with those requirements. See the section Additional U.S. State Disclosures below for more information tailored to California and other state laws.


European Residents: While our Services are intended for U.S. users, if you are in the European Economic Area (EEA), United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR) or equivalent laws. This policy is intended to give you information required by those laws (like describing our data processing purposes and legal bases). As noted, you can request access, correction, deletion, etc. If you believe we have not complied with your GDPR rights, you have the right to lodge a complaint with your local data protection authority. However, since we currently target the U.S. market, we do not have an EU/UK representative.


Managing Your Data in Reflect: The Reflect app may offer in-app settings or tools to manage certain data. For example, you might have settings to edit your profile, or export your journal entries. We encourage you to explore the app’s settings for options that give you direct control. For anything not directly available in the app, please contact us.


Note on AI-Generated Content Accuracy: Reflect incorporates AI-generated content, which uses statistical models to predict responses. These models may occasionally produce inaccurate or incomplete information. You should not rely on the factual accuracy of AI-generated output without independent verification. If you notice that your conversation contains factually incorrect information about you (Personal Data) and you would like to request correction or deletion of that information, you can contact us with your request. We will treat it similarly to a request to correct or delete your data, though we will consider the technical feasibility and the nature of AI outputs. (In some cases, it may be more feasible to delete the content than to “correct” an AI statement.)


Where Your Data Lives: Journals, transcripts, and account details are stored in Google data centers located in the United States (primary region: us-central). OpenAI (including Whisper audio) and Apple also process your text/audio on U.S. servers only; we do not authorize processing in any other country. If you access Reflect from outside the U.S., you understand your data will be transferred to—and governed by U.S. law in—those U.S. data centers.

 

 


6. Children’s Privacy (Ages 13-17)


Our Services are not directed to children under 13, and we do not knowingly collect Personal Data from children under 13 years of age. If you are under 13, please do not attempt to use our Services or send any personal information to us.


If we learn that we have inadvertently collected Personal Data from a child under 13, we will promptly take steps to delete such information from our records. If you are a parent or guardian and discover that a child under 13 has created an account or provided us with Personal Data without your consent, please contact us at our support email so that we can take appropriate action.


If you are under 18, you may use Reflect only with your parent or guardian’s permission (as noted in our Terms of Use). We encourage parents/guardians to discuss responsible usage with their teens and supervise use as needed.

 

 


7. Data Security


We implement commercially reasonable technical and organizational measures to protect Personal Data against unauthorized access, loss, misuse, or alteration. These measures include encryption of data in transit, access controls to our databases, regular security assessments, and limiting access to Personal Data only to those employees and service providers who need it to perform their duties. We protect your journal and account data with industry-standard safeguards: TLS 1.2+ encryption for every network request; AES-256 encryption at rest.  OpenAI and Apple process text/audio over TLS and hold it ≤30 days for abuse-detection only.


That said, no method of transmission over the Internet, or method of electronic storage, is 100% secure. We cannot guarantee absolute security. You should use caution when transmitting sensitive information via any app or service. Protect your account credentials and do not share your password with others. If you believe your Reflect account has been compromised, please contact us immediately.


Accordingly, we do not accept liability for the security or availability of any third-party platforms or networks that we do not own or control, or for any unauthorized access, disclosure, or loss that results from their acts or omissions.


 We also are not responsible for vulnerabilities or breaches that occur on your own devices or networks, which are outside of our control. (For example, if your phone is jailbroken or infected with malware that logs keystrokes, that is beyond our ability to prevent.)


In the event of a data breach that affects your Personal Data, we will notify you and/or the appropriate regulatory authorities as required by law.  We encourage you to keep your device secure, set a strong pass-code, and avoid sharing account credentials. Remember: anything you choose to store in Reflect is personal but not protected by doctor-patient privilege.

 


 

8. Additional U.S. State Disclosures


Some U.S. states have enacted privacy laws that require specific disclosures and grant residents certain rights. This section provides supplementary information for residents of those states (such as California, Colorado, Connecticut, Utah, and Virginia) and should be read in conjunction with the rest of our Privacy Policy.


Categories of Personal Data Collected: In the past 12 months, we have collected the following categories of Personal Data (as defined by applicable state law) about users:

  • Identifiers: e.g., name, email address, account login credentials, IP address, and device identifiers.

  • Personal Information: e.g., any information you provide in your account profile or communications (which may include things like age range if provided, but we do not collect Social Security numbers, driver’s license numbers, or financial account info from you).

  • Protected Classifications: We do not actively collect sensitive demographics like race, ethnicity, or health diagnoses from you. You may voluntarily disclose information about your mental health or feelings in journal entries, but we do not classify or categorize you by any protected class. We also do not infer such characteristics about you​.

  • Commercial Information: e.g., records of purchases or subscriptions (the fact that you subscribed, transaction IDs, and subscription term).

  • Internet or Other Electronic Network Activity: e.g., usage data, logs, interactions with our app, and website cookies as described above.

  • Geolocation Data: general location inferred from IP (city/region), and precise location only if you chose to share it (which is not collected by default).

  • Audio/Visual Data: If you use voice features, we process audio to text (but do not store the audio). When Whisper is enabled, audio is disclosed to OpenAI under the same 30-day abuse-detection retention.

  • We may in future allow you to upload an image or avatar; any such visual data is provided by you. We do not collect photos, videos, or recordings of you without your consent.

  • Professional or Employment Information: Not collected (unless you provided something in a communication).

  • No “sale” or “sharing” of data of California users under 16.

  • Education Information: Not collected (unless you share something in your content).

  • Inferences: We do not profile you to create marketing inferences. The AI might generate inferences during a conversation (e.g. “It sounds like you’re feeling happy today”), but we do not store those as a user profile or use them to target you. We do not infer characteristics about you for advertising or other external purposes.


Purposes for Collection: We collect and use the above categories of data for the business and commercial purposes described in Section 2 (How We Use Personal Data) of this policy. For example, identifiers are used to create your account and secure it, network activity is used to improve the service and for security monitoring, etc.


Categories of Third Parties to Whom We Disclose Data: We may disclose the above categories of Personal Data to third parties as described in Section 3 (Disclosure of Personal Data). In summary, in the past 12 months we have disclosed these categories of Personal Data for our business purposes to: service providers (including cloud hosting providers, analytics providers, OpenAI as our processor for AI processing, and email service providers), and possibly to authorities or other parties for legal compliance if required. We do not sell personal data, and we do not share personal data for cross-context behavioral advertising. We also do not process sensitive personal data for the purpose of inferring characteristics about a consumer​.


Your U.S. State Privacy Rights: Some U.S. state laws (like California’s CCPA/CPRA and similar laws in Colorado, Virginia, etc.) provide residents with specific privacy rights. We designed our practices to meet those requirements. In particular:

  • No “Sale” or Targeted Advertising: We do not sell your personal data for money, and we do not share it for cross-context behavioral advertising. (Thus, there is no need to opt out of these practices.) If we ever decide to use your data in a way that legally constitutes a “sale” or “sharing,” we will provide a clear opt-out.

  • Use of Sensitive Information: We do not use or disclose sensitive personal information in any way that would trigger a right to limit under applicable law. Any sensitive data you provide (for example, journal content about health or feelings) is only used to provide the Reflect service to you, not to profile you or for third-party marketing.

  • No Direct Marketing Disclosure: We do not share your personal information with third parties for their own direct marketing purposes (per California’s “Shine the Light” law). If that ever changes, we will update you and allow the requisite opt-outs.

  • Exercising Your Rights: If you are a resident of an applicable state, you may have the right to access the data we have about you, delete your data, correct inaccuracies, or opt out of certain processing. You (or an authorized agent acting on your behalf) can exercise these rights by contacting us (see “How to Contact Us” below). We may verify your identity (or an agent’s authority) before fulfilling requests, as required by law. If we decline to act on your request, you have the right to appeal our decision (and we will tell you how, if it happens).

  • Personal Information.  We treat your journal entries and voice transcripts as “sensitive personal information” under the California Privacy Rights Act (CPRA), Texas Data Privacy & Security Act (TDPSA), and similar laws.  We use this data only to operate Reflect and do not sell or share it for advertising.  Your rights (CA, TX, CO, CT, VA, and similar):  you may (a) request a copy of your data; (b) ask us to delete or correct it; (c) opt out of any sale or sharing; and (d) limit use of sensitive data to the services you request.  We will respond within 45 days (or the shortest period  required by law). 

  • Do other U.S. state residents have privacy rights? Yes. If you are a resident of any U.S. state that grants privacy rights to consumers (such as Colorado, Connecticut, Utah, etc.), we will honor your rights in accordance with applicable state laws. This means you may have the right to request access to or deletion of your personal information, to correct inaccurate information, or to opt out of certain data processing (like targeted advertising or sales of data), subject to the conditions and exceptions in those laws. Reflect does not sell your personal information or share it for cross-context behavioral advertising.

  • Limit Use of Sensitive Data: Because we use sensitive journal information only to provide you Reflect’s core services, we believe our practices comply with laws allowing you to limit use of sensitive data. If you still prefer that we do not retain or use your sensitive personal data for any product improvement or research after serving you, please contact us and we will honor applicable requests.


We will not discriminate against you for exercising any of these rights. If you have questions or requests, please contact us at any time.

 


 

9. International Data Transfers


Reflect is operated from the United States and does not serve other markets at this time. If you use Reflect from outside the U.S., your personal data will be transferred to and processed in the U.S., which may have different data protection laws than your country. We apply the same high standards of privacy and security to all user data, no matter where you’re located. If required for compliance (for example, to serve users in the European Economic Area or other regions with data transfer rules), we will implement appropriate safeguards (such as Standard Contractual Clauses) to ensure your data is protected when it moves to the U.S. By using Reflect, you acknowledge that your information will be transferred to our U.S. systems and handled as outlined in this Privacy Policy.

 


 

10. Changes to this Policy


We may modify this Privacy Policy from time to time (for example, if we introduce new features or to comply with new legal requirements). If we make changes, we will update the “Last Updated” date at the top of the Policy. For any significant changes, we will provide a prominent notice (such as an in-app alert or email) to inform you. We encourage you to review this Policy periodically to stay informed about how we protect your information.


If we make material changes that would negatively impact your privacy rights, we will provide a prominent notice (for example, via the app or by email) and obtain your consent if required by law. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.


Your continued use of Reflect after any updates to this Privacy Policy indicates your acknowledgment of the changes. If you do not agree to the revised policy, you should discontinue use of the Services or contact us to delete your data.



 

11. How to Contact Us


If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, you can contact us at:


Solo Eleven LLC (d/b/a Reflect)
ATTN: Privacy / Legal
5900 Balcones Drive Suite 100, Austin, TX 78731


Email: legal@reflect.chat


We will do our best to address your inquiry promptly and thoroughly. Your trust is extremely important to us, and we welcome your feedback on any aspect of our privacy practices.


Reminder. Reflect is a self-reflection tool, not a healthcare provider. The privacy of your entries is protected under this Policy, but not under medical privacy laws. Think of it like a diary, not a therapy session. While Reflect is not governed by healthcare privacy laws, we still commit to protecting your data as described here, using encryption and security measures. Just remember that this isn’t the same as sharing information within a doctor’s office; it’s more like storing it in a personal journal app.